AWS/Azure/OpenShift Security | Vulnerability Scans and Assessment Windows

Configure Windows LAPS Management with Microsoft Intune


In this post, I will show you how to Configure Windows LAPS Management with Microsoft Intune. Windows LAPS management with Intune is simple and straightforward. On April 11, 2023, Microsoft announced that new LAPS capabilities were coming directly to your devices. The LAPS comes with new security updates. It is compatible with Windows editions: Windows 11 Pro, EDU, and Enterprise, Windows 10 Pro, EDU, and Enterprise, Windows Server 2022 and Windows Server Core 2022, and Windows Server 2019. You can also modify Windows 11 Taskbar via Intune and GPO. There are a lot you can do with Intune such as managing Windows Defender Antivirus Through Microsoft Endpoint Manager Admin Dashboard and Intune

With LAPs, IT Administrators can encrypt and protect local administrator credentials using the Windows Local Administrator Password Solution (Windows LAPS), a feature of Windows. This includes backing up the passwords to Azure Active Directory or Active Directory and rotating them automatically. Below is a video on how LAPS works. Kindly subscribe to our YouTube Channel.

Src: Micrsoft

Using Microsoft Intune, you may set up Windows LAPS on your Windows workstations. See this related post to learn what ADK, MDT, Microsoft Endpoint Configuration Manager (SCCM), Intune, Autopilot, and WSUS is all about.

What is LAPS, and why do we need it?

The “Local Administrator Password Solution” (LAPS) allows domain-joined workstations to manage local account passwords. Only authorized users are able to access or request the reset of passwords since they are stored in Active Directory (AD) and secured by ACL. Please see how to Install Windows Admin Center on Windows 10 and Windows 11, and how to schedule and run updates via Windows Admin Center.

Password management can become a difficult problem when users must log on to devices without domain credentials (such as local admin). The possibility of a Pass-the-Hash (PtH) credential replay attack is significantly increased in such environments. Using a common local account with the same password on each machine in a domain is a problem that LAPS addresses. Please see how to configure Windows LAPS in Active Directory.

This problem is fixed by LAPS by assigning a unique, random password to each machine in the domain for the common local administrator account. By utilizing the solution, domain administrators can identify which individuals, such as help desk administrators, are permitted to access passwords.

Configuring LAPS with Microsoft Intune

To configure LAPS with Intune, follow the below steps:

Step 1: Create an Account Protection Policy. Visit the Microsoft Intune Portal and navigate to Endpoint Security > Account Protection+ Create Policy

Account Protection Creation Page

In the Platform field, select Windows 10 or later and in the Profile, select Local admin password solution (Windows LAPS) and click on Create.

Creating Profile Policy

Specify a unique name for your new policy and description (optional) and then click Next

Specifying the Policy Name

On the configuration page, in the Backup Directory field, select Backup the password to Azure AD only.

Configuring the Policy

You can learn more about the above configuration settings in the official documentation maintained by Microsoft.

Skip the scope tags page and move directly to the Assignments tab. When you are there, assign the new policy to a device group, or all devices.

Assigning New Policy to All Devices

In the Review + Create pane, confirm the policy meets your requirements before creating it.

Review and Create

Accessing the Local Admin Password of a Device

There are a number of options for an administrator to view the local administrator password. These include PowerShell, Microsoft Entra, and the Intune Admin Portal. Here, we are just going to view it through Microsoft Entra Admin Center.

Please see how to use GitHub as Source Provider to AWS CodePipeline, how to add and remove Multiple Virtual Desktops in Windows 10 Multitasking, How to configure Pleasant Password MsSQL SSO, how to create a Mapped Drive via GPO Preferences and how to delete Apps from Launchpad on Mac

Viewing Using Microsoft Entra

Visit the Microsoft Entra admin portal. Check through the left pane under Azure Active Directory, click on Devices, then click All Devices.

All Devices

Now click on the device of your choice and then click on Show local administrative password to view it.

Viewing Local Administrative Password from Intune Dashboard

In this post, you have learned how to Configure Windows LAPS Management with Microsoft Intune. Microsoft Intune. Microsoft Intune is a Microsoft cloud-based unified endpoint management service for both corporate and BYOD devices.

It extends some of the “on-premises” functionality of Microsoft Endpoint Configuration Manager to the Microsoft Azure cloud.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x